azurerm_kubernetes_cluster - support for the kube_proxy property
#19567
Conversation
ms-henglu
commented
Dec 6, 2022
ms-henglu
commented
There was a problem hiding this comment.
Thanks for this PR @ms-henglu, i've left several questions and comments in-line, once those are resolved we can take another look through.
internal/services/containers/kubernetes_cluster_network_resource_test.go
Show resolved
Hide resolved
| if input[0] == nil { | ||
| return &managedclusters.ContainerServiceNetworkProfileKubeProxyConfig{ | ||
| Enabled: utils.Bool(true), | ||
| } | ||
| } |
There was a problem hiding this comment.
I've removed this if block and made the mode a required field.
|
Great to see that this feature is coming. In https://learn.microsoft.com/en-us/azure/aks/configure-kube-proxy it's an option to disable {
"enabled": true,
"mode": "IPVS",
"ipvsConfig": {
"scheduler": "LeastConnection",
"TCPTimeoutSeconds": 900,
"TCPFINTimeoutSeconds": 120,
"UDPTimeoutSeconds": 300
}
}This is something that needs to be supported, especially together with BYOCNI mode. |
|
@NissesSenap, the omission of the block in the config should disable |
|
Thanks for the quick reply @stephybun. This feature is also optional, so I think we are missing the |
|
@NissesSenap, if we were flattening the Since we're keeping it as a block, enabling it is done in the usual fashion by adding it into the config, i.e. Disabling it is done purely by removing the block from the resource config. If you're familiar with or have used some of the AKS add-ons they behave in the same way e.g. Also very happy for any feedback on the docs that would help better clarify this pattern/behaviour within the provider. |
|
@stephybun once again I might be wrong but I'm rather sure that what you describe would be a breaking change. The kube-proxy config supports three big configuration areas according to my understanding of https://learn.microsoft.com/en-us/azure/aks/configure-kube-proxy. Configure kube-proxy to use IPVSA new feature in AKS that makes it possible to use IPVS in kube-proxy {
"enabled": true,
"mode": "IPVS",
"ipvsConfig": {
"scheduler": "LeastConnection",
"TCPTimeoutSeconds": 900,
"TCPFINTimeoutSeconds": 120,
"UDPTimeoutSeconds": 300
}
}Configure kube-proxy to use IPAMThis is the default setting and currently used by all AKS clusters (don't know the exact config but something like this). {
"enabled": true,
"mode": "IPAM",
"ipvsConfig": {
"scheduler": "LeastConnection",
"TCPTimeoutSeconds": 900,
"TCPFINTimeoutSeconds": 120,
"UDPTimeoutSeconds": 300
}
}Disable kube-proxyIf you want to disable kube-proxy from running in your cluster all together. {
"enabled": false,
}What you describe in your last comment resource "azurerm_kubernetes_cluster" "example" {
name = "myakscluster"
...
network_profile {
network_plugin = "azure"
}
...
}Would disable kube-proxy on all clusters that have defined the This is not what you want. Real exampleThis is my current setting in my cluster when using BYOCNI in AKS. resource "azurerm_kubernetes_cluster" "example" {
name = "myakscluster"
...
network_profile {
network_plugin = "none"
load_balancer_sku = "standard"
load_balancer_profile {
outbound_ip_prefix_ids = [
var.aks_public_ip_prefix_id
]
}
}
...SummaryAll I want to do is to disable kube-proxy from running on my cluster all together. |
There was a problem hiding this comment.
@ms-henglu could you please resolve the merge conflict? This should be good to go then.
|
Hi @stephybun , Thanks! I've resolved the conflicts. |
|
@NissesSenap, apologies for the late response and thank you for outlining your concerns and current scenario. After looking through the PR again and making further changes I believe this should no longer be a breaking change. The API returns kube proxy information in the response only once it's been modified. With the current implementation the provider would only send a value for I hope this resolves any confusion about this feature. If there are any issues please do let us know and thanks again for your input! |
How do you explicitly disable it then? It looks like to me that keeping the default kube-proxy config or disabling it altogether are both using the absence of the block, am I wrong? |
|
Yes, I was also thinking about this. Does the absence of the whole block results in a cluster with missing kube-proxy? |
|
Thank you all for your input and questions - it's much appreciated and you've all raised very valid points that I unfortunately overlooked in my reviews. As it stands I do not think we can support this feature in its current state due to the behaviour of the API and the fact that Kube Proxy is a functionality that is enabled on clusters by default. I've raised an issue over on Azure/azure-rest-api-specs#22208 detailing the behaviour and hope the AKS team will take a look and can resolve them. Presently there is no straight forward way to expose this feature without shipping either a breaking change, or a roundabout way of explicitly disabling Kube Proxy. To answer your question @EppO @mkilchhofer, the only way to explicitly disable Kube Proxy (with the way that it has been shipped) would be to add the block, apply, and then to remove the block. This is because the API does not supply the kube proxy configuration in the response unless it's been modified, even once the preview feature for it has been enabled. I concede that this is less than ideal. The initial implementation where we always send As a result I'm going to revert this PR for the moment. Apologies for jumping the gun on this one. |
|
Glad we helped you sort this one out. EDIT: scratch that, I just read Azure/azure-rest-api-specs#22208 and I get it's an API issue now. |
|
👍 |
|
This functionality has been released in v3.40.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you! |
|
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions. |
